Learn Penetration Testing From Professional Hackers !

Get Hands-On Experience With Real Hacking Tools

Cost Effective. Live. In-Person Instruction.

Training Course: Designing Secure Web Applications

Description

The design and implementation of secure Web Applications is a huge challenge that requires significant expertise in programming, web application development, and IT Security. This course is designed exclusively for experienced web-application developers to empower them to develop secure web applications by illuminating the most common serious vulnerabilities and how to avoid them.

Audience

Experienced Java, C#, and PHP web-application developers seeking to understand and avoid introducing common security vulnerabilities into their designs and applications.

Duration

3 Days

Objectives

Be familiar with common web application security vulnerabilities

Understand how security vulnerabilities can be introduced into web applications

Understand how to properly validate Untrusted Input

Understand the purpose and benefits of Data Sanitization

Be familiar with the Input Validator and Sanitizer Design Patterns

Be prepared to avoid SQL Injection Vulnerabilities

Be prepared to avoid Cross-Site Scripting (XSS) Vulnerabilities

Be prepared to avoid Authentication and Session Vulnerabilities

Be better prepared to test web application security

Setup

A Web Application Server Environment, such as:

Java 2 Standard Edition (J2EE)

Microsoft C# .NET Studio

Apache and PHP

A Web Browser and Proxy, such as:

Firefox

TamperData

A Database Management System, such as:

Apache Derby

SQL Server Express

Text

Course Workbook

Prerequisites

Application Security and the SDLC

A solid understanding of either Java and JSPs, OR C# .NET and ASPs, OR PHP

Outline

Topic 1: Introduction

Welcome

Motivation

Course Objectives

Course Overview

The Software Development Lifecycle (SDLC)

Security in the SDLC

The Importance of Security Requirements

Application Security in Context

Lab Exercise: Requiring Security

Quiz

Topic 2: Preventing Malformed Input

Validating Untrusted Input

Handling Unexpected Input

Validating Input Data

Input Validator Design Pattern

What is a Regular Expression ?

Regular Expressions: Example

More Regular Expressions

More Regular Expression Examples

Lab Exercise: Input Validation

Quiz

Topic 3: Preventing Injection Attacks

What is an Injection Attack ?

Preventing Injection Attacks

Validating Untrusted Input

Syntactic Validation

Logical Validation

Data Encoding

Client Side Data Validation

Server Side Data Validation

Where to Validate

Handling Unexpected Input

Example: Using Tamper Data

Lab Exercise: Injection Rejection

Quiz

Topic 4: Preventing XSS

What is Cross-site Scripting ?

Example: Cross-site Scripting

Exploiting XSS Vulnerabilities

Case Study: But I don’t Like Spam

Preventing Cross-site Scripting

Preventing XSS in HTML Body

Preventing XSS in HTML Attributes

Preventing XSS in Javascript Data Values

Example: A Simple Encoder

Example: Encoding at Work

Lab Exercise: Injection Rejection

Quiz

Topic 5: Preventing SQL Injection

What is SQL Injection ?

Case Study: I Still Don’t Like Spam

Preventing SQL Injection

Prepared Statements

Lab Exercise: Injection Rejection

Quiz

Topic 6: Preventing Command Injection

What is Command Injection ?

Case Study: Do the Math

Preventing Command Injection

Other Injection Attacks

Preventing Direct Object References

Preventing Format String Attacks

Summary of Special Characters

Encoding Special Characters

Lab Exercise: No, You do the Math

Quiz

Topic 7: Preventing Other Vulnerabilities

How Do You Prevent… ?

Lab Exercise: What’s in Your Wallet ?

Quiz

Topic 8: Miscellaneous Topics

Application Security in Perspective

Security Manager Design Pattern

Avoiding Common Vulnerabilities

Security in the SDLC

The Security Design Review

The OWASP ESAPI

Appendix Developing Secure Mobile Applications

Appendix Summary of Special Characters

Appendix Quiz Answers

Register

For more information or to register for this training course, call 1-800-840-2335 or contact us on our website.

Search for:

Cyber-security is more critical than ever before. You need a partner with the right expertise.